CVE-2011-4273

Name of the Vulnerable Software and Affected Versions GoAhead Webserver version 2.18

Description The issue concerns multiple cross-site scripting (XSS) vulnerabilities. These vulnerabilities allow remote attackers to inject arbitrary web script or HTML. The affected API endpoints include: "goform/AddGroup" related to addgroup.asp, "goform/AddAccessLimit" related to addlimit.asp, and "goform/AddUser" related to adduser.asp. The vulnerable parameters are: the group parameter to "goform/AddGroup", the url parameter to "goform/AddAccessLimit", the user (also known as User ID) parameter to "goform/AddUser", and the group parameter to "goform/AddUser".

Recommendations For GoAhead Webserver version 2.18, as a temporary workaround, consider disabling access to the vulnerable API endpoints "goform/AddGroup", "goform/AddAccessLimit", and "goform/AddUser" until a patch is available. Restrict the use of the vulnerable parameters group, url, user, to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.